Cyber Resilience Act Sliced and Diced

Maria Aholainen, CIPP/E, Counsel, Hannes Snellman Attorneys
Kira Ahveninen-Kuha, Global Lead Digital Counsel, ABB (Motion)
Jussi Leppälä, AIGP, CIPP/E, CIPM, CIPT, FIP, Data Privacy Officer, Valmet

The EU Cyber Resilience Act establishes a new security benchmark for products with digital elements in the EU. First deadlines are looming already in 2026. Understanding the EU CRA builds on novel legal terms like “core function” and “intended use.” These escalate into product categorization, risk assessments and different roadmaps, where the goal can be anything from self-declaration to examination by notified bodies. While standardization can provide some help and companies adhering to standards like IEC 62443 are arguably better positioned for the CRA, cybersecurity standards may not be the most practical approach for all scenarios. Newer products can be easy to align, but older product lines may need a more tailored approach to the CRA. The CRA also surfaces questions in relation to upgrading already sold products and delivering products that interoperate with legacy environments. The interaction with the Data Act and the GDPR must also be taken into consideration.

What you will learn:

• Key commercial questions that arise from CRA. 
• How to split the CRA into categories of requirements and their stakeholder base. 
• Where and where not to refer to standardization and IEC 62443 on the CRA journey.